Direction paradigm? n00b question

I'm pretty new to ISA2k4 and am thoroughly confused by the new(er)
policy interface and conceptual structure. First, the difference
between "system policy" and the other rules is lost on me (particularly
since it seems impossible to actually ADD a rule to system policy), but
that's not my really my question.

In ISA 2k, packet filter rules made sense to me. They were based on a
very simple filter definition that specified IP protocol type, local
and remote port numbers (with options for dynamic or all port numbers)
and the direction of intial traffic *relative to the ISA server*.
There were tabs to specify the identities of local and remote
computers. It was conceptually no different from configuring iptables
or many "black box" firewalls (e.g., Firebox).

In ISA 2k4, there are no more packet filters...da*n shame, because MS
took a conceptually simple task and made it much more confusing.
First, it seems that the "incoming" and "outgoing" direction concepts
have changed in their point of perspective: Incoming and outgoing used
to be relative to the ISA machine itself. Now I can't tell what the
point of reference is, but, viewing some of the default system policy
rules, it doesn't seem to be ISA.

So here's the questions:
What is the reference point (e.g., ISA machine, LAN, other) from which
to determine "incoming" vs. "outgoing" protocols?

That also begs the question about how to duplicate the functionality of
ISA 2k packet filters in ISA 2k4. If one is trying to open a port for
traffic incoming to the ISA (from local LAN or external nets), is the
rule supposed to be a server publishing rule or an access rule (or do
you need one of each to cover the "from external" and "from LAN"
scenarios). Also, a la a packet filter, how do you lock down client
ports on an access or server publishing rule? I see no way to do that.

Pls. excuse the minor rant and n00b-oriented questions; I'm a bit
turned about on this.

.

Relevant Pages

  • RE: Windows Update
    ... create an outbound TCP packet filter on ... 443 (Local Port Dynamic, Remote Port Fixed on 443) using the following ... From within the ISA Management MMC console, ... accessing the Windows Update Site from the same box. ...
    (microsoft.public.isaserver)
  • Re: Telnet to Router from Server
    ... Open the ISA Administration tool, and then expand the Server ... click Create Packet Filter. ... Local Port: All Ports ...
    (microsoft.public.windows.server.sbs)
  • Re: Workstations login takes ages to proceed after installing ISA 2004
    ... System policy rules are indeed processed first, ... ISA2004 should have no problem running on Windows 2003 server. ... Ori YosefiISA Server Team ... Also i made one access-rule to be able to access the>>> internet... ...
    (microsoft.public.isa)
  • Re: Protocol Rule
    ... First, what version of ISA. ... So you're asking you have email server in USA and you want your internal ... > as i understood Packet filter is used to make a control on the Incomeing ... > the Port for HTTP only and this Port is open dynamic through Policy, ...
    (microsoft.public.isa.clients)
  • Protocol Rule
    ... as i understood Packet filter is used to make a control on the Incomeing ... is used to make a control on the outgoing traffic from the ISA ... Block the Traffic which is outgoing and incomeing from enter the ISA and get ... the Port for HTTP only and this Port is open dynamic through Policy, ...
    (microsoft.public.isa.clients)